AmendmcDts to the ClaiDM 

/ Claim 1 (original): A computer program product for providing end-to-end protection for 

2^ datagrams in a computer networking environment, the computer program product embodied on 

3 one or more computer-readable media and comprising computer-readable program code means 

^ for independently securing each of a plurality of network segments that comprise a network path 

^ from a datagram originator to a datagram destination, while each of one or more gateways in the 

Q network path retains cleartext access to datagrams sent on the network path. 

1 Claim 2 (ori^nal): A computer program product for providing CTid-to-end protection for 

2 datagrams in a computer networking environment, the computer program product embodied on 

3 one or more computer-readable media and comprising: 

4 computer-readable program code means for protecting each of a plxirality of network 

5 segments that comprise a network path from a datagram originator to a datagram destination, 

6 further comprising: 

7 computer-readable program code means for establishing a first protected network 

8 segment from the datagram originator to a first gateway in the network path; 

9 computer-readable program code means for cascading zero or more protected 

1 0 gateway-to-gateway segments from the first gateway to each of zero or more successive gateways 

11 in the network path; and 

2 computer-readable program code means for cascading a last protected network 

1 3 segment from a final one of the gateways to the datagram destination, wherein the final gateway 

Serial No. 09/754,893 ^ RSW920000162US1 
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1 4 may be identical to the first gateway if no gateway-to-gateway segments are required, 

1 5 wherein the first gateway and each of the zero or more successive gateways retains 

16 cleartext access to datagrams sent on the network path- 

1 Claim 3 (original): The computer program product according to Claim 2, v^erein the computer- 

2 readable program code means for establishing and the computer-readable program code means 

3 for cascading further comprise computer-readaWe program code means for establishing security 

4 associations which xise strong cryptographic techniques. 

1 Claim 4 (original): The computer program product according to Claim 3, wherein the strong 

2 cryptographic techniques used for the security associations are provided by protocols known as 

3 Internet Key Exchange and IP (Intemet Protocol) Security Protocol. 

1 Claim 5 (original): The computer program product according to Claim 2, wherem the computer- 

2 readable program code means for cascading further comprises computer-readable program code 

3 means for using identifying mformation from the first protected network segment as identifying 

4 information of the protected gateway-to-gateway segments and the protected final network 

5 segment, 

1 Claim 6 (original): The computer program product according to Claim 5, wherein the identifying 

2 information further comprises addresses of the datagram originator and the datagram destination. 

Serial No. 09/754,893 7 RSW920000162US1 ; 
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1 Claim 7 (original): The computer program product according to Claim 6, wherein the identifying 

2 infonnation further comprises a protocol identification and a port number used for the first 

3 protected network segment* 

1 Claim 8 (original): The computer program product according to Claim 4, wherein 4e datagram 

2 originator and the gateways that perform the computer-readable program code means for 

3 cascading each act in an IKE initiator role. 

1 Claim 9 (original): The computer program product according to Claim 2, wherein the datagram 

2 originator and the gateways that perform the computer-readable program code means for 

3 cascading each fiK:t as in an initiator role for a protocol known as Internet Key Exchange. 

1 Claim 1 0 (original): The computer program product according to Claim 5 or Claim 6, wherein 

2 the identifying information is copied fix)m an inbound side of each gateway to an outbound side 

3 of that gateway. 

1 Claim 1 1 (original): The computer program product according to Claim 2, wherein any of the 

2 gateways may perform services on the cleartext datagram. 

1 Claim 12 (original): The computer program product according to Claim 2, wherein operation of 
Serial No. 09/754,893 8 RSW920000162US1 
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2 the computer-readable program code means for cascading may be selectively enabled for any 

3 particular network path. 

1 Claim 13 (original): The computer program product according to Claim 12, wherein the 

2 selective enablement occurs by setting a cascading-enabled flag for the first protected network 

3 segment, and wherein datagrams sent on the network path are not protected using cascaded 

4 tuimels when the computer-readable program code means for cascading is disabled. 

1 Claim 14 (original): The computer program product according to Claim 5, wherein the 

2 identifying information may be aHered by zero or more of the gateways. 

1 Claim 1 5 (original): A system for providing end-to-end protection for datagrams in a computer 

2 networking environment, the system comprising means for independently securing each of a 

3 plurality of network segments that comprise a networic path from a first computer to a second 

4 computer, wherein a datagram originator at the first computer sends at least one datagram to a 

5 datagram destination at the second compute, while each of one or more gateways in the network 

6 path retains cleartext access to datagrams sent on the network path. 

1 Claim 1 6 (original): A system for providing end-to-end protection for datagrams in a computer 

2 networidng environment, comprising: 

3 means for protecting each of a plurality of networit segments that comprise a network 
Serial No. 09/754,893 9 RSW920000162US1 
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4 padi from a datagram originator to a datagram destination, further comprising: 

5 means for establishing a first protected network segment from the datagram 

6 originator to a first gateway in the network path; 

7 means for cascading zero or more protected galeway-to-gateway segments from 

8 the first gateway to each of zero or more successive gateways in the Mtwork path; and 

9 means for cascading a last protected network segment from a final one of the 

10 gateways to the datagram destination, wherein the final gateway may be identical to the first 

1 1 gateway if no gateway-to-gateway segments are required, 

1 2 wherein the first gateway and each of the zero or more successive gateways retains 

13 cleartext access to datagrams sent on the network path. 

1 Claim 17 (original): The system according to Claim 16, wherein the means for establishing and 

2 the means for cascading fiirther comprise means for establishing security associations which use 

3 strong cryptographic techniques, 

1 Claim 1 8 (original): The system according to Claim 17, \\iierein the strong cryptographic 

2 techniques used for the security associations are provided by protocols known as hitemet Key 

3 Exchange and IP (Internet Protocol) Security Protocol. 

1 Claim 19 (original): The system according to Claim 16, wherein the means for cascading fiarther 

2 comprises means for using identifying infonnation fiom the first protected network segment as 

Serial No. 09/754,893 10 RSW920000162US1 
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3 identifying information of the protected gateway-to-gateway segments and the protected final 

4 network segment. 

1 Claim 20 (original): The system according to Claim 19, wherein the identifying information 

2 fiuther comprises addresses of the datagram originator and the datagram destination. 

1 Claim 21 (original): The system according to Claim 20, wherein the identifying information 

2 further comprises a protocol identification and a port number used for the Grst protected network 

3 segment 

1 Claim 22 (original): The system according to Claim 1 8, wherein the datagram originator and the 

2 gateways that perform the means for cascading each act in an IKE initiator role. 

1 Claim 23 (original): The system according to Claim 16, wherein the datagram originator and' the 

2 gateways that perform the means for cascading each act as in an initiator role fc»* a protocol 

3 known as Internet Key Exchange. 

1 Claim 24 (original): The system according to Claim 19 or Claim 20, wherein flic identifying 

2 information is copied firom an inbound side of each gateway to an outbound side of that gateway. 

1 Claim 25 (original): The system according to Claim 1 6, wherein any of the gateways msy 

Serial No, 09/754,893 1 1 RSW920000162US 1 
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2 i)erfonn sendees on the cleartext datagram. 

1 Claim 26 (original): The system according to Claim 16, wherein operation of the means for 

2 cascading may be selectively enabled for any particular network path. 

1 Claim 27 (original): The system according to Claim 26, wherein the selective enablement occurs 

2 by setting a cascading-enabled flag for the &st protected network segment, and ^iiereih 

3 datagrams sent on the network path are not protected using cascaded tunnels when the means for 

4 cascading is disabled. 

1 Claim 28 (ori^nal): The system according to Claim 19, wherem the identifying information may 

2 be altered by zero or more of the gateways. 

1 Claim 29 (original): A method of providing end-to-end protection for datagrams in a computer 

2 networking environment, by indepaidently securing each of a plurality of network segments that 

3 comprise a network path from a first computer to a second computer, wherein a datagram 

4 originator at the first computer sends at least one datagram to a datagram destination at the 

5 second computer, while each of one or more gateways in the network path retains clearte?ct 

6 access to datagrams sent on the network path. 

1 Claim 30 (original): A method of providing aad-to-end protection for datagrams in a computer 
Serial No. 09/754,893 12 RSW920000162US1 
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2 networking environment, comprismg steps of: 

3 protecting each of a plurality of network segments that comprise a network path from a 

4 datagram originator to a datagram destination, further comprising steps of: 

5 establishing a first protected network segment from the datagram originator to a 

6 first gateway in the network path; 

7 cascading zero or more protected gateway-to-gateway segments from the first 

8 gateway to each of zero or more successive gateways in the network path; and 

9 cascading a last protected network segment from a final one of tiie gatewsQ^s to the 

1 0 datagram destination, wherein the final gateway may be identical to the first gateway if no 

1 1 gateway-to-gateway segments are required, 

12 wherein the first gateway and each of the zero or more successive gateways retains 

1 3 cleartext access to datagrams sent on the network path. 

1 Claim 31 (original): The method according to Claim 30, wherein the establishing step and the 

2 rascading step further comprise the step of establishing security associations which use strong 

3 cryptographic techniques- 

1 Claim 32 (original): TTie method according to Claim 3 1 , wherein flie strong cryptogr^hic 

2 techniques used for the seciirity associations are provided by protocols known as Intemet Key 

3 Exchange and DP (Intemet Protocol) Security Protocol. 
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1 Claim 33 (original): The method according to Claim 30, vs*erein the cascading step further 

2 comprises the step of xising identiiymg information from the first protected network segment as 

3 identifying infomiation of the protected gatevmy-to-gateway segmaits and the protected final 

4 netwoik segment 

1 Claim 34 (original): The method according to Claim 33, wherein the identifying information 

2 fiirther comprises addresses of the datagram originator and the datagram destination. 

1 Claim 35 (original): The method according to Claim 34, v4ierein the identifying infomiation 

2 further comprises a protocol identification and a port number used for the first protected netwoik 

3 segment. 

1 Claim 36 (original): The method according to Claim 32, wherein the datagram originator and the 

2 gateways that perform the cascading step each act in an IKE initiator role. 

1 Claim 37 (original): The method according to Claim 30, wherein the datagram originator and tl^ 

2 gateways that perform the cascading step each act as in an initiator role for a protocol kno^vn as 

3 Internet Key Exchange. 

1 Claim 38 (original): The method according to Claim 33 or Claim 34, wherein the identifying 

2 information is copied from an inbound side of each gateway to an outbound side of that gateway. 

Serial No. 09/754,893 1 4 RSW920000162US1 
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1 Claim 39 (original): The method according to Claim 30, vAerein any of the gateways may 

2 perfomi services on the cleartext datagram. 

1 Claim 40 (original): The method according to Claim 30, wherein operation of the cascading step 

2 may be selectively enabled for any particular network path. 

1 Claim 41 (original): The method according to Claim 40, wherein the selective enablement 

2 occurs by setting a cascading-enabled flag for the first protected network segment, and vrfierein 

3 datagrams sent on the network path are not protected using cascaded tunnels when the cascading 

4 step is disabled. 

1 Claim 42 (original): The method according to Claim 33, wherein the identifying information 

2 may be altered by zero or more of the gateways. 
3 

4 Claim 43 (new): A computer program product for providing end-to-end protection for datagrams 

5 in a computer networking environment, the computer program product CTfibodied on one or more 

6 computer-readable media and comprising: 

7 computer-readable program code means for protecting each of a plurality of network 

8 segments that comprise a network path from a datagram originator to a datagram destination, 

9 further comprising: 

Serial No. 09/754,893 1 5 RS W920000162US 1 
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1 0 computer-readable program code means for establishing a jSrst protected network 

1 1 segment from the datagram originator to a first gateway in the network path; 

1 2 computer-readable program code means for cascading one or more protected 

1 3 gateway-to-gateway segments from the first gateway to each of one or more successive gateways 

14 in the network path, using identilyinginfonnalionfix)m the first protected netwo A 

1 5 identifying information of the protected gateway-to-gateway segments, v^iierein the identifying 

1 6 information is copied from an inbound side of each gatewi^ to an outbound side of that gateway; 

17 and 

18 computer-readable program code means for cascading a last protected network 

1 9 segment from a final one of the gateways to the datagram destination, using identifying 

2 0 information firom the first protected network segment as identifying information of the protected 

2 1 final network segment, wherein the identifyii^ information is copied from an inboimd side of 

22 each gateway to an outbound side of that gateway, 

2 3 wherein the first gateway and each of the cme or more successive gateways retains 

2 4 cleartext acce^ to datagrams sent on the network path. 

25 . 

2 6 Claim 44 (new): A system for providing end-to-end protection for datagrams in a computer 

2 7 networking environment, compri sing; 

28 means for protecting each of a plurality of network segments that comprise a network 

2 9 patib fix)m a datagram originator to a dat^ram destination, further comprising: 

30 means for establishing a first protected network segment from the datagram 

SerialNo. 09/754,893 16 RSW920000162US1 
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originator to a first gateivay in the network path; 

means for cascading one or more protected gateway-to-gateway segments fi^om 
the first gateway to each of zero or more successive gateways in the network path, using 
identifying information from the first protected netwoik segment as identifying information of 
the protected gateway-to-gateway segments, A^erein the identifying information is copied Gcom 
an inbound side of each gateway to an outbound side of that gateway; and 

means for cascading a last protected network segment from a final one of the 
gateways to the datagram destination, using identifying information fix>m the first protected 
network segment as identifying information of the protected final network segment, wherein the 
identifying iirformation is copied fit>m an inbound side of each gateway to an outbound side of 
that gateway, 

wherein the first gateway and each of the one or more successive gateways retains 
cleaitext access to datagrams sent on the netwoik path. 

Claim 45 (new): A method of providing end-to-end protection for datagrams in a compute- 
networking environment, comprising steps of: 

protecting each of a plurality of network s^ments that comprise a network path fix)m a 
datagram originator to a datagram destination, fiirther comprising steps of: 

establishing a first protected network segment fix>m the datagram originator to a 
first gateway in the n^woik path; 

cascading one or more protected gateway-to-gateway segments fix^m the first 

Serial No. 09/754,893 17 RSW920000162US1 
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gateway to each of zero or more successive gateways in the network path, using identifying 
infonnation from the first protected network segment as identifying information of the protected 
gateway-to-gateway segments, whoiein the identifying infonnation is copied &om an inbound 
side of each gateway to an outbound side of that gateway; and 

cascading a last protected netwoik segment from a final one of the gateways to the 
datagram destination, using identifying information from the first {H-otected network segment as 
identifying information of the protected final netwoik segment, wherein the identifying 
information is copied from an inbound side of each gateway to an outbound side of that gateway, 

wherein the first gateway and each of the one or more successive gateways retains 
cleartext access to datagrams sent on the network path. 
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